Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables: No chain/target/match by that name #55

Closed
bmccorm2 opened this issue Jul 24, 2020 · 2 comments
Closed

iptables: No chain/target/match by that name #55

bmccorm2 opened this issue Jul 24, 2020 · 2 comments

Comments

@bmccorm2
Copy link

Sorry I know there are other issues on this and I have read them but still cannot figure out a solution to my problem :/

Behaviour

I have two instances of f2b running: input (ssh) and docker (postfix service i am having issues with). I followed examples for ssh and it works great, but i am getting an error for my postfix service.

Configuration

  • Docker version (type docker --version) : Docker version 18.09.1, build 4c52b90
  • Docker compose version if applicable (type docker-compose --version) : docker-compose version 1.21.0, build unknown
  • Postfix is running in another container that i built (with dovecot, spamassassin, etc). Port 25, 465, and 993 are exposed in this container.
  • Platform (Debian 9, Ubuntu 18.04, ...) : Debian 10
  • System info (type uname -a) : 4.19.118 kernel
  • docker-compose.yml
 f2b-input:
    image: crazymax/fail2ban
    container_name: f2b-input
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    env_file:
      - env/f2b.${ENV}.env
    environment: 
      - "F2B_IPTABLES_CHAIN=INPUT"
    volumes:
      - /opt/f2b-input:/data
      - /var/log:/var/log:ro
    restart: always

  f2b-docker:
    image: crazymax/fail2ban
    container_name: f2b-docker
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    env_file:
      - env/f2b.${ENV}.env
    environment: 
      - "F2B_IPTABLES_CHAIN=DOCKER-USER"
    volumes:
      - /opt/f2b-docker:/data
      - /var/log:/var/log:ro
    restart: always
  • f2b.prd.env
TZ=America/Denver

F2B_LOG_TARGET=STDOUT
F2B_LOG_LEVEL=INFO
F2B_DB_PURGE_AGE=1d
  • Postfix jail
[postfix]
enabled = true
# To use another modes set filter parameter "mode" in jail.local:
filter  = postfix[mode=aggressive]
port    = smtp,465,submission
chain = DOCKER-USER
logpath = %(postfix_log)s
backend = %(postfix_backend)s
  • Default conf
[DEFAULT]
bantime.increment = true
bantime.rndtime = 60
bantime.maxtime = 2592000
bantime.factor = 2
bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
bantime.multipliers = 1 5 30 60 300 720 1440 2880
bantime.overalljails = false
ignoreself = true
ignorecommand =
bantime  = 60m
findtime  = 10m
maxretry = 5
maxmatches = %(maxretry)s

Logs

For f2b-docker container:

2020-07-23 21:08:29,136 fail2ban.filter         [1]: INFO    [postfix] Found 185.222.58.118 - 2020-07-23 21:08:29
2020-07-23 21:08:29,280 fail2ban.actions        [1]: NOTICE  [postfix] Ban 185.222.58.118
2020-07-23 21:08:29,288 fail2ban.utils          [1]: ERROR   7f504a1da9f0 -- exec: iptables -w -N f2b-postfix
iptables -w -A f2b-postfix -j RETURN
iptables -w -I DOCKER-USER -p tcp -m multiport --dports smtp,465,submission -j f2b-postfix
2020-07-23 21:08:29,289 fail2ban.utils          [1]: ERROR   7f504a1da9f0 -- stderr: 'iptables: Chain already exists.'
2020-07-23 21:08:29,289 fail2ban.utils          [1]: ERROR   7f504a1da9f0 -- stderr: 'iptables: No chain/target/match by that name.'
2020-07-23 21:08:29,289 fail2ban.utils          [1]: ERROR   7f504a1da9f0 -- returned 1
2020-07-23 21:08:29,290 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'postfix' action 'iptables-multiport' info 'ActionInfo({'ip': '185.222.58.118', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f504a851dc0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f504a84c4c0>})': Error starting action Jail('postfix')/iptables-multiport: 'Script error'
2020-07-23 21:08:35,738 fail2ban.filter         [1]: INFO    [postfix] Found 212.70.149.67 - 2020-07-23 21:08:35
@crazy-max
Copy link
Owner

@bmccorm2 F2B_IPTABLES_CHAIN env var has been removed and README updated to use chain = <name> def. Can you try with this new behavior?

@bmccorm2
Copy link
Author

Cool thanks I think that is a good change. I was going along the same lines with my setup (now have one container and would specify the chain within the jail.conf file) But I am still getting that same error.

And today I just tried installing fail2ban on the host and running it and it worked perfectly fine. I don't know if i have some setup issue but docker-fail2ban image will not write to my IP tables for DOCKER-USER chain. I use the same default action for postfix in the container as I do for the host package but for whatever reason it fails in the container. I can go into the container and verify those commands fail but i don't know enough about iptables to be able to fix it.

  • docker-compose.yml
  f2b:
    image: crazymax/fail2ban
    container_name: f2b
    network_mode: "host"
    cap_add:
      - NET_ADMIN
      - NET_RAW
    env_file:
      - env/f2b.${ENV}.env
    volumes:
      - /opt/f2b:/data
      - /var/log:/var/log:ro
    restart: always
  • f2b.prd.env
TZ=America/Denver

F2B_LOG_TARGET=STDOUT
F2B_LOG_LEVEL=INFO
F2B_DB_PURGE_AGE=1d
  • postfix.conf
[postfix]
enabled = true
# To use another modes set filter parameter "mode" in jail.local:
filter  = postfix[mode=aggressive]
port    = smtp,465,submission
chain = DOCKER-USER
logpath = %(postfix_log)s
backend = %(postfix_backend)s
  • Fail2ban Logs
2020-07-30 16:39:25,498 fail2ban.actions        [1]: NOTICE  [postfix] Ban 212.70.149.67
2020-07-30 16:39:25,501 fail2ban.observer       [1]: INFO    [postfix] IP 212.70.149.67 is bad: 1 # last 2020-07-30 03:57:44 - incr 1:00:00 to 10:00:44
2020-07-30 16:39:25,502 fail2ban.observer       [1]: NOTICE  [postfix] Increase Ban 212.70.149.67 (2 # 10:00:44 -> 2020-07-31 02:40:08)
2020-07-30 16:39:25,509 fail2ban.utils          [1]: ERROR   7f84ad282510 -- exec: iptables -w -N f2b-postfix
iptables -w -A f2b-postfix -j RETURN
iptables -w -I DOCKER-USER -p tcp -m multiport --dports smtp,465,submission -j f2b-postfix
2020-07-30 16:39:25,510 fail2ban.utils          [1]: ERROR   7f84ad282510 -- stderr: 'iptables: Chain already exists.'
2020-07-30 16:39:25,510 fail2ban.utils          [1]: ERROR   7f84ad282510 -- stderr: 'iptables: No chain/target/match by that name.'
2020-07-30 16:39:25,510 fail2ban.utils          [1]: ERROR   7f84ad282510 -- returned 1
2020-07-30 16:39:25,511 fail2ban.actions        [1]: ERROR   Failed to execute ban jail 'postfix' action 'iptables-multiport' info 'ActionInfo({'ip': '212.70.149.67', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7f84ad942e50>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7f84ad941550>})': Error starting action Jail('postfix')/iptables-multiport: 'Script error'
2020-07-30 16:39:31,207 fail2ban.filter         [1]: INFO    [postfix] Found 212.70.149.67 - 2020-07-30 16:39:31

@schklom schklom mentioned this issue Oct 22, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crazy-max @bmccorm2